Describe General Security and Network Security Features Flashcards

1
Q

____________ is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises.

A

Azure Security Center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The Azure product that can:

  • Provide security recommendations based on your current config, resources, & networks
  • Detect & block malware
  • Analyze & identify potential attacks
  • Just-in-time access control for ports
A

Azure Security Center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

____________ refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.

A

security posture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Azure Security Center capabilities include 4 main components. Name the 4.

A
  • Policy compliance
  • Continuous assessments
  • Tailored recommendations
  • Threat protection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

____________ is a measurement of an organization’s security posture and is based on security controls, or groups of related security recommendations. It is based on the percentage of security controls that you satisfy. The more security controls you satisfy, the higher the rating you receive. It improves when you remediate all of the recommendations for a single resource within a control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

____________ access blocks traffic by default to specific network ports of VMs, but allows traffic for a specified time when an admin requests and approves it.

A

Just-in-time VM access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company can control which applications are allowed to run on its VMs. In the background, Security Center uses machine learning to look at the processes running on a VM. It creates exception rules for each resource group that holds the VMs and provides recommendations. This process provides alerts that inform the company about unauthorized applications that are running on its VMs. What is this threat protection called?

A

Adaptive application controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Center can monitor the internet traffic patterns of the VMs, and compare those patterns with the company’s current network security group (NSG) settings. From there, Security Center can make recommendations about whether the NSGs should be locked down further and provide remediation steps. This threat protection capability is called __________________.

A

Adaptive network hardening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

__________ allows a company to configure the monitoring of changes to important files on both Windows and Linux, registry settings, applications, and other aspects that might indicate a security attack.

A

File integrity monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

___________ uses Azure Logic Apps and Security Center connectors, which are triggered by a threat detection alert or by a Security Center recommendation, filtered by name or by severity. You can then configure the logic app to run an action, such as sending an email, or posting a message to a Microsoft Teams channel. This allows you to investigate or remediate alerts.

A

Workflow automation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security management on a large scale can benefit from a dedicated security information and event management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response.

___________ is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

_____________ enables you to:

  • Collect cloud data at scale Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds.
  • Detect previously undetected threats Minimize false positives by using Microsoft’s comprehensive analytics and threat intelligence.
  • Investigate threats with artificial intelligence Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.
  • Respond to incidents rapidly Use built-in orchestration and automation of common tasks.
A

Azure Sentinel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What threat detection product include connectors / integrations for these products:

  • Office 365
  • Azure Active Directory
  • Azure Advanced Threat Protection
  • Microsoft Cloud App Security
A

Azure Sentinel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When a company builds its workloads in the cloud, it needs to carefully handle sensitive information such as passwords, encryption keys, and certificates. This information needs to be available for an application to function, but it might allow an unauthorized person access to application data. _________ is a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What product are these 5 benefits attributed to?

  • Centralized application secrets Centralizing the storage for your application secrets enables you to control their distribution, and reduces the chances that secrets are accidentally leaked.
  • Securely stored secrets and keys Azure uses industry-standard algorithms, key lengths, and HSMs. Access to Key Vault requires proper authentication and authorization.
  • Access monitoring and access control By using Key Vault, you can monitor and control access to your application secrets.
  • Simplified administration of application secrets Key Vault makes it easier to enroll and renew certificates from public certificate authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools.
  • Integration with other Azure services You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services. These services can then securely reference the secrets stored in Key Vault.
A

Azure Key Vault

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A _________ gives you access to free resources. Your personal subscription will not be charged. It may only be used to complete training on Microsoft Learn. Use for any other reason is prohibited, and may result in permanent loss of access to it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Some organizations must follow regulatory compliance that requires them to be the only customer using the physical machine that hosts their virtual machines. ___________ provides physical servers to host your Azure VMs for Windows and Linux.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

True or false: A dedicated host is mapped to a physical server in an Azure datacenter. A host group is a collection of dedicated hosts.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

These are benefits of what product?

  • Gives you visibility into, and control over, the server infrastructure that’s running your Azure VMs.
  • Helps address compliance requirements by deploying your workloads on an isolated server.
  • Lets you choose the number of processors, server capabilities, VM series, and VM sizes within the same host.
A

Azure Dedicated Host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

To provide the best availability with the Azure Dedicated Host product, you can provision multiple hosts in a ________ and deploy your VMs across it.

A

host group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

VMs on dedicated hosts can also take advantage of ______________. This feature enables you to control when regular maintenance updates occur, within a 35-day rolling window.

A

maintenance control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Referring to the attached image, How can Tailwind Traders enforce having only certain applications run on its VMs?

  • Connect your VMs to Azure Sentinel.
  • Create an application control rule in Azure Security Center.
  • Periodically run a script that lists the running processes on each VM. The IT manager can then shut down any applications that shouldn’t be running.
A

Create an application control rule in Azure Security Center.

With Azure Security Center, you can define a list of allowed applications to ensure that only applications you allow can run. Azure Security Center can also detect and block malware from being installed on your VMs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Referring to the attached image, What’s the easiest way for Tailwind Traders to combine security data from all of its monitoring tools into a single report that it can take action on?

  • Collect security data in Azure Sentinel.
  • Build a custom tool that collects security data, and displays a report through a web application.
  • Look through each security log daily and email a summary to your team.
A

Collect security data in Azure Sentinel

Azure Sentinel is Microsoft’s cloud-based SIEM. A SIEM aggregates security data from many different sources to provide additional capabilities for threat detection and responding to threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Referring to the attached image, Which is the best way for Tailwind Traders to safely store its certificates so that they’re accessible to cloud VMs?

  • Place the certificates on a network share.
  • Store them on a VM that’s protected by a password.
  • Store the certificates in Azure Key Vault.
A

Store the certificates in Azure Key Vault

Azure Key Vault enables you to store your secrets in a single, central location. Key Vault also makes it easier to enroll and renew certificates from public certificate authorities (CAs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Referring to the attached image, How can Tailwind Traders ensure that certain VM workloads are physically isolated from workloads being run by other Azure customers?

  • Configure the network to ensure that VMs on the same physical host are isolated.
  • This is not possible. These workloads need to be run on-premises.
  • Run the VMs on Azure Dedicated Host.
A

Run the VMs on Azure Dedicated Host

Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The objective of __________ is to protect information and prevent it from being stolen by those who aren’t authorized to access it. This strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data leveraging multiple levels of protection as one layer is isolated from the subsequent.

A

defense in depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Identify the 7 layers of the defense in depth strategy.

A
  1. The physical security layer is the first line of defense to protect computing hardware in the datacenter.
  2. The identity and access layer controls access to infrastructure and change control.
  3. The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
  4. The network layer limits communication between resources through segmentation and access controls.
  5. The compute layer secures access to virtual machines.
  6. The application layer helps ensure that applications are secure and free of security vulnerabilities.
  7. The data layer controls access to business and customer data that you need to protect.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The _________ layer is the first line of defense to protect computing hardware in the datacenter. the intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can’t be bypassed, and loss or theft is handled appropriately.

A
  • The physical security layer is the first line of defense to protect computing hardware in the datacenter.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

The ________ layer controls access to infrastructure and change control. At this layer, it’s important to:

  • Control access to infrastructure and change control.
  • Use single sign-on (SSO) and multifactor authentication.
  • Audit events and changes.
A
  • The identity and access layer controls access to infrastructure and change control. This layer is all about ensuring that identities are secure, access is granted only to what’s needed, and sign-in events and changes are logged.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

The __________ layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users. At this layer, it’s important to:

  • Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users.
  • Use firewalls to identify and alert on malicious attacks against your network.
A
  • The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The __________ layer limits communication between resources through segmentation and access controls. At this layer, it’s important to:

  • Limit communication between resources.
  • Deny by default.
  • Restrict inbound internet access and limit outbound access where appropriate.
  • Implement secure connectivity to on-premises networks.

At this layer, the focus is on limiting the connectivity across all your resources to allow only what’s required. By limiting this communication, you reduce the risk of an attack spreading to other systems.

A
  • The network layer limits communication between resources through segmentation and access controls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The ______ layer secures access to virtual machines. At this layer, it’s important to:

  • Secure access to virtual machines.
  • Implement endpoint protection on devices and keep systems patched and current.

Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure that your resources are secure and that you have the proper controls in place to minimize security issues.

A
  • The compute layer secures access to virtual machines.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

The _________ layer helps ensure that your products are secure and free of security vulnerabilities. At this layer, it’s important to:

  • Ensure that your products are secure and free of vulnerabilities.
  • Store sensitive secrets in a secure storage medium.
  • Make security a design requirement for all development.
A
  • The application layer helps ensure that applications are secure and free of security vulnerabilities. Integrating security into the application development lifecycle helps reduce the number of vulnerabilities introduced in code. Every development team should ensure that its applications are secure by default.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The _________ layer controls access to business and customer data that you need to protect.

A

The data layer controls access to business and customer data that you need to protect. In almost all cases, attackers are after data:

  • Stored in a database.
  • Stored on disk inside virtual machines.
  • Stored in software as a service (SaaS) applications, such as Office 365.
  • Managed through cloud storage.

Those who store and control access to data are responsible for ensuring that it’s properly secured. Often, regulatory requirements dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Your ____________ is your organization’s ability to protect from and respond to security threats.

A

security posture

36
Q

The 3 common principles used to define a security posture are:

A

CIA: confidentiality, integrity, and availability

37
Q

__________ leverages The principle of least privilege means restricting access to information only to individuals explicitly granted access, at only the level that they need to perform their work. This information includes protection of user passwords, email content, and access levels to applications and underlying infrastructure.

A

Confidentiality

38
Q

____________ is a security posture principle used to Prevent unauthorized changes to information:

  • At rest: when it’s stored.
  • In transit: when it’s being transferred from one place to another, including from a local computer to the cloud.
A

Integrity

39
Q

____________ is a security posture principle used to Ensure that services are functioning and can be accessed only by authorized users. Denial-of-service attacks are designed to degrade the availability of a system, affecting its users.

A

Availability

40
Q

__________ attacks are designed to degrade the availability of a system, affecting its users.

A

Denial-of-service

41
Q

A ____________is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. You can create rules that specify ranges of IP addresses. Only clients granted IP addresses from within those ranges are allowed to access the destination server. The rules can also include specific network protocol and port information.

A

firewall

42
Q

____________ is a managed, cloud-based network security service that helps protect resources in your Azure virtual networks.

43
Q

A ________ is similar to a traditional network that you’d operate in your own datacenter. It’s a fundamental building block for your private network that enables virtual machines and other compute resources to securely communicate with each other, the internet, and on-premises networks.

A

virtual network

44
Q

____________ is stateful and managed that grants/denies server access based on originating IP address in order to protect network resources.

A

Azure firewall

45
Q

True or false: Azure’s Firewall as a Service (FaaS), called Azure Firewall, has the following characteristics:

  • Applies inbound and outbound traffic filtering rules
  • Has built-in high availability
  • Provides unrestricted cloud scalabilty
  • Uses Azure Monitor logging
A

True

46
Q

True or false: Azure Application Gateway provides a Web Application Firewall (WAF) providing centralized, inbound protection for your web applications.

A

True

47
Q

True or false: Azure Firewall uses a dynamic private IP address for your virtual network resources, which enables outside firewalls to identify traffic coming from your virtual network.

A

False: Azure Firewall uses a static (unchanging) public IP address for your virtual network resources, which enables outside firewalls to identify traffic coming from your virtual network.

48
Q

Name 3 services that provide Web Application Firewall services.

49
Q

True or false: With Azure Firewall, you can configure Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.

A

True

50
Q

True or false: With Azure Firewall, you can configure Network rules that define source address, protocol, destination port, and destination address.

A

True

51
Q

True or false: Azure Firewall does not support Network Address Translation (NAT).

A

False: With Azure Firewall, you can configure Network Address Translation (NAT) rules that define destination IP addresses and ports to translate inbound requests.

52
Q

A ___________ attack attempts to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. These attacks can target any resource that’s publicly reachable through the internet, including websites.

53
Q

__________ sanitizes unwanted network traffic before it impacts service availability.

54
Q

True or false: Basic Azure DDoS protection is not provided automatically and requires a special subscription to activate.

A

False. It is automatically enabled.

55
Q

True or false: Azure DDoS Protection Standard service tier adds mitigation capabilities that are tuned to product Azure Virtual Network resources that are an additional cost.

A

True

56
Q

To best ensure you manage your cloud consumption and costs, which DDoS protection tier should you run for external facing services?

A

Standard

DDoS Protection can also help you manage your cloud consumption. When you run on-premises, you have a fixed number of compute resources. But in the cloud, elastic computing means that you can automatically scale out your deployment to meet demand. A cleverly designed DDoS attack can cause you to increase your resource allocation, which incurs unneeded expense. DDoS Protection Standard helps ensure that the network load you process reflects customer usage. You can also receive credit for any costs accrued for scaled-out resources during a DDoS attack.

57
Q

Name the 3 types of attacks that the DDoS Protection standard tier can help prevent.

A
  • Volumetric attacks

The goal of this attack is to flood the network layer with a substantial amount of seemingly legitimate traffic.

  • Protocol attacks

These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack.

  • Resource-layer (application-layer) attacks (only with web application firewall)

These attacks target web application packets to disrupt the transmission of data between hosts. You need a web application firewall (WAF) to protect against L7 attacks. DDoS Protection Standard protects the WAF from volumetric and protocol attacks.

58
Q

The goal of a ___________ DDoS attack is to flood the network layer with a substantial amount of seemingly legitimate traffic.

A
  • Volumetric attacks
59
Q

The goal of __________ attaches is to render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack.

A
  • Protocol attacks
60
Q

The goal of a _____________ or application-layer attack is to target web application packets to disrupt the transmission of data between hosts. You need a web application firewall (WAF) to protect against L7 attacks. DDoS Protection Standard protects the WAF from volumetric and protocol attacks.

A
  • Resource-layer (application-layer) attacks (only with web application firewall)
61
Q

A ___________ enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of it like an internal firewall and is used to protect internal networks along with providing an extra layer of defense against attacks.

62
Q

An __________ can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

A

network security group

63
Q

True or false: Network security groups can allow you to filter network traffic and to override default rules with new, higher priority rules.

A

True. When you create a network security group, Azure creates a series of default rules to provide a baseline level of security. You can’t remove the default rules, but you can override them by creating new rules with higher priorities.

64
Q

A ___________ gives you access to free resources. Your personal subscription will not be charged. It may only be used to complete training on Microsoft Learn. Use for any other reason is prohibited, and may result in permanent loss of access to feature.

A

sandbox

65
Q

The perimeter layer is about protecting your organization’s resources from network-based attacks. Identifying these attacks, alerting the appropriate security teams, and eliminating their impact are important to keeping your network secure. Name the 2 key steps to do this.

A
  • Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for users.
  • Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
66
Q

What are the recommended actions to best secure the network layer?

A
  1. At this layer, the focus is on limiting network connectivity across all of your resources to allow only what’s required. Segment your resources and use network-level controls to restrict communication to only what’s needed.
  2. By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack. Use network security groups to create rules that define allowed inbound and outbound communication at this layer.
  3. Deny by default.
  4. Restrict inbound internet access and limit outbound where appropriate.
  5. Implement secure connectivity to on-premises networks.
67
Q

You can combine Azure networking and security services to manage your network security and provide increased layered protection. Name the two ways you can best combine services to accomplish this.

A
  1. Network security groups and Azure Firewall

Azure Firewall complements the functionality of network security groups. Together, they provide better defense-in-depth network security.

Network security groups provide distributed network-layer traffic filtering to limit traffic to resources within virtual networks in each subscription.

Azure Firewall is a fully stateful, centralized network firewall as a service. It provides network-level and application-level protection across different subscriptions and virtual networks.

2. Azure Application Gateway web application firewall and Azure Firewall

Web application firewall (WAF) is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities.

Azure Firewall provides:

  • Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP).
  • Outbound network-level protection for all ports and protocols.
  • Application-level protection for outbound HTTP/S.
68
Q

What layer would you protect your network boundaries with Azure DDoS Protection and Azure Firewall?

A

Perimeter

69
Q

At the ___________ layer you only permit traffic to pass between networked resources with Network Security Group (NSG) inbound and outbound rules.

A

Networking

70
Q

___________ is a managed, cloud-based network security service that helps protect resources in Azure virtual networks.

A
  • Azure Firewall
71
Q

_____________ is similar to a traditional network that you’d operate in your own datacenter. It enables virtual machines and other compute resources to securely communicate with each other, the internet, and on-premises networks.

A
  • An Azure virtual network
72
Q

_____________ enables you to filter network traffic to and from Azure resources within a virtual network.

A
  • A network security group (NSG)
73
Q

Which of the following security services are not part of the network defense layer?

  • Network Security Groups (NSG)
  • Azure Firewall
  • Web Application Firewall
  • DDoS Protection
A
  • Network Security Groups (NSG)
74
Q

An attacker can bring down your website by sending a large volume of network traffic to your servers. Which Azure service can help Tailwind Traders protect its App Service instance from this kind of attack?

  • Azure Firewall
  • Network security groups
  • Azure DDoS Protection
A

Azure DDoS Protection

DDoS Protection helps protect your Azure resources from DDoS attacks. A DDoS attack attempts to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users.

75
Q

What’s the best way for Tailwind Traders to limit all outbound traffic from VMs to known hosts?

  • Configure Azure DDoS Protection to limit network access to trusted ports and hosts.
  • Create application rules in Azure Firewall.
  • Ensure that all running applications communicate with only trusted ports and hosts.
A

Create application rules in Azure Firewall.

Azure Firewall enables you to limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDNs).

76
Q

How can Tailwind Traders most easily implement a deny by default policy so that VMs can’t connect to each other?

  • Allocate each VM on its own virtual network.
  • Create a network security group rule that prevents access from another VM on the same network.
  • Configure Azure DDoS Protection to limit network access within the virtual network.
A

Create a network security group rule that prevents access from another VM on the same network.

A network security group rule enables you to filter traffic to and from resources by source and destination IP address, port, and protocol.

77
Q

Your company needs to ensure compliance with FIPS 140-2. Keeping encryption keys in an HSM boundary is required for Federal Information Processing Standard (FIPS) 140-2, so companies that need to maintain compliance with FIPS 140-2 can do so by using the ________.

A

Premium tier of Key Vault

Keeping encryption keys in an HSM boundary is required for Federal Information Processing Standard (FIPS) 140-2, so companies that need to maintain compliance with FIPS 140-2 can do so by using the Premium tier of Key Vault.

78
Q

True or false: A key stored in Azure Key Vault would typically be accessed programmatically by an application. To protect the key, application developers can retrieve the key each time it’s needed instead of retrieving it once and storing it in memory. This ensures that the key remains secure.

A

True

79
Q

True or false: In order to use Key Vault for disk encryption keys, the access policies must be configured to allow the vault for disk encryption.

A

True

80
Q

True or false:Azure Sentinel may only be used for Azure requiring you to use a different product for threat reporting and analysis for on-premises resources and for resources on other clouds.

A

False. Azure Sentinel isn’t only for Azure. It can also provide threat reporting and analysis for on-premises resources and for resources on other clouds.

81
Q

True or false: With Azure Dedicated Hosts, you can choose a window of time for updates to be applied to your host computer.

A

True. In a nondedicated host scenario, Microsoft will apply updates to the host computer at a time of their choosing. With Azure Dedicated Hosts, you can choose a window of time for updates to be applied to your host computer. This allows you more control over any brief periods of impact an update might cause to your VMs.

82
Q

You configure a Network Security Group (NSG) to prevent all traffic except traffic from the Internet and you then associate that NSG with a subnet containing two VMs. Will those VMs still be able to communicate with each other?

A

No

An NSG that’s associated with a subnet affects all VMs inside that subnet, as well as traffic to and from the subnet. For example, let’s say you configure an NSG to prevent all traffic except traffic from the Internet and you then associate that NSG with a subnet containing two VMs. In that event, those two VMs will no longer be able to communicate with each other because only traffic from the Internet is allowed by the NSG.

83
Q

True or false: Azure Firewall is a stateful firewall.

A

True

This means that it stores data in its memory about the state of network connections that flow through it. When new network packets for an existing con- nection hit the firewall, it can tell if the state of that connection represents a security threat.

84
Q

You have set up a jumpbox where you also want to ensure that traffic flowing from the subnet where other servers are located is secure and not inappropriately sending data out of your network. What should you do?

A

It’s important to understand that a firewall can (and should) be used to filter traffic flowing into and out of a network. For example, you want the firewall to handle traffic into your jumpbox, but you also want to ensure that traffic flowing from the subnet where other serv- ers are located is secure and not inappropriately sending data out of your network.

85
Q

True or false: You can only have virtual network from the same Azure subscription in a DDoS Protection Plan.

A

False. The fact that you can add virtual networks from multiple Azure subscriptions to the same DDoS Protection plan is an important concept. You are billed a large monthly charge for the DDoS Protection plan, and if you create two DDoS Protection plans, you have just doubled your costs.